One Man’s Threats Are Another Man’s Opportunities (Embracing Disruptive Technology)

I popped on over to get what I suspected would be my weekly fill of Botnets gone wild and other malware-laden horror stories only to be surprised to find that the top emerging security threats were actually many of the same strategic technologies that CIO’s reported to Gartner as those "…with the
potential for significant impact on the enterprise in the next three
years." Go figure.

Jim summarized the intent of his post thusly:

Emerging technologies can bring a whole host of benefits, often
improving productivity, changing the way businesses interact and
enhancing the lives of people all over the world.

And whenever a new technology comes out and gets a lot of hype,
there is a lot of enthusiasm about the many benefits and new
capabilities that this technology provides.

But, also without fail, there is one key thing that almost no one ever talks about. What is this hidden factor? It’s security.

Over the years I’ve gone to lots of conferences and seminars
dedicated to emerging technologies, from Web 2.0 to virtualization to
virtual worlds. And the one thing that pretty much never gets covered
(or even mentioned) in these conferences in security.

Of course, this is understandable. New technologies are just
introducing themselves to the world. It’s sort of like a first date.
When you go on a first date, you probably don’t start out talking about
all of your illnesses and insecurities. The same goes for emerging
technologies. Their creators just want to promote their good points.

But for users of these technologies, ignoring the potential security
threats that these emerging technologies introduce can lead to big
problems, including data theft, system compromises and the spread of
malware.

I think that Jim’s analogies are basically good ones; security has been shown historically as an afterthought, but in the context of my last couple of posts, by attempting to draw attention to the disruptive effect these technologies have and their generally under-capitalized security investment in the manner in which he does in effect sensationalizes an already flammable scenario.

The reality-based analog that is suitable for contrast here is the old
cliche: "guns don’t kill people…people kill people." As corny and over-played as that is, technology
doesn’t cause threats to materialize magically, the poor implementation of
the technology does.

Rather than work to rationally discuss security in context and consider these disruptive technological innovations as opportunities to leverage, they are ultimately painted here as evil. This is exactly the sort of "security is a speed bump" persona we need to shed!

Check out the purported horror show of "emerging threats" below and compare them to Gartner’s Top 10 Strategic Technologies for 2008-2011 to the right. These technologies possess "factors that denote significant impact include a high potential
for disruption to IT or the business, the need for a major dollar
investment, or the risk of being late to adopt"

Ajax

Google Apps

Mobile Devices & Applications

RFID

Rich Internet Applications

RSS

Social Networks

Virtual Worlds

Virtualization

VoIP

How many of either of the Top-Ten lists above are you dealing with today?

Check out the slideshow. Lovely artwork, but abrasive and vague at best. Rather than paint a balanced portrait of pros and cons as his introduction alludes to or suggest how these technologies can be deployed securely, we instead get soundbites like this:

VOIP – VOIP systems have greatly broadened the telecom options for
businesses, not only freeing them from traditional phones but making it
possible to easily tie voice into other enterprise applications. But
VOIP systems can be easily tapped by anyone and have become an
attractive target for hackers.

The reality is that any new technology has the potential to allow "bad stuff to happen." I think we all know that already. What would be really useful is a way of managing this process. I think there’s a better way of communicating without relying on fear.

First, I just want to say I'm intrigued and interested in where your continued discussion on this subjects goes. Just take any comments of mine below as musings, rather than anything of substance. I'm rambling.
"I think there's a better way of communicating without relying on fear."
I'm not sure I agree with that, entirely. I mean, no matter what you say about security (unless you want to get into Virtual Trust and security enabling business…coughughcough), someone somewhere can just say you're being negative and spreading fear. Just the hint of insecurity in something and boom, that can be laid out. And I have yet to meet any managers or execs who would let IT explain that they need to implement A before big technology B can be used by the company, without asking the direct question of, "Why?"
I agree, we need to stop being so dramatic about the insecurities, but I'm not sure we can inherently stop…at least not without losing our religion.
Of course, if we stop being blunt, then technology won't be seen as disruptive; it will be requested hands down by business. Instead, the IT teams will be the disruptive entity…or attackers will have their way.
Then again, there is a huge difference in being a creator of technology and a consumemr of it. Five years ago, would my company have been able to implement wireless securely, pre-WPA? No. Not unless I helped rewrite the standards. But for most people, myself included, we were just consumers of the technology. The best we could do is roundabout mitigations. Does that count as implementing something securely, or is that just bandaging and introducing complexity? I guess that may be a matter of perspective…